author photo
By Bruce Sussman
Mon | Oct 12, 2020 | 6:44 AM PDT

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI  issued a new joint alert about nation-state linked cyberattacks targeting both organizations and government agencies. 

And with very little daylight left between now and election day, CISA says the threat actors have managed to access "election support systems."

"CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity."

SLTT stands for state, local, tribal, and territorial government networks.

CISA and FBI: threat actors chaining vulnerabilities together to succeed

If you're an advanced persistent threat (APT), a nation-state cyber actor, what is better than a known security hole? Using several security vulnerabilities linked together. From the advisory

"CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application."

Attackers are using the Windows Netlogon vulnerability as part of a privilege access scheme, in which they grant themselves greater access to a network after the initial compromise.

And if you see this at your organization, CISA says a time-consuming effort at regaining security is ahead of you:

"If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised active directory (AD) administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed.

Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through 'creative destruction,' wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously."

CISA says it is also critical to perform a full password reset on all user and computer accounts in the active directory forest. 

CISA details what the TTPs look like in this attack

The alert lists observed chaining of vulnerabilities but notes that many other vulnerabilities could be leveraged:

"Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding.

After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities."

Do you need third-party incident response help?

Lastly, CISA suggests looking to outside help to supplement your in-house team, because it could make a significant difference:

"Consider soliciting incident response support from a third-party IT security organization to:

  • Provide subject matter expertise and technical support to the incident response
  • Ensure that the actor is eradicated from the network
  • Avoid residual issues that could result in follow-up compromises once the incident is closed"